i'm an OpenBSD developer, so i have some knowlege but could be biased.

> SSH (OpenSSH) is routinely used in secure access for remote server
> maintenance. However, as I see it, SSH has a number of security issues
> that have not been addressed (as far I know), which create unnecessary
> vulnerabilities.
> Some issues could be minimized by turning off password authentication,
> which is not practical in many cases. Other issues can be addressed by
> additional means, for example:
> 1. firewall port-knocking to block scanning and attacks
> 2. firewall logging and IP disabling for repeated attacks (prevent DoS,
> block dictionary attacks)

        i guess it can be handled in lines of spamd (greylisting) on OpenBSD.

> 3. pre- and post-filtering to prevent SSH from advertising itself and
> server OS

        is there any point in this as you can fingerprint OS both actively 
        and passively (p0f)?

> 4. block empty authentication requests
> 5. block sending host key fingerprint for invalid or no username
> 6. drop SSH reply (send no response) for invalid or no username

        i can understand your desire, but this is a feature used by some of the
        anonymous services such as anonymous CVS.  i'd leave it to openssh


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to